U.S. patent application number 11/331319 was filed with the patent office on 2007-07-12 for method and system for the automatic reroute of data over a local area network.
This patent application is currently assigned to Cisco Technology, Inc.. Invention is credited to Christophe Paggen.
Application Number | 20070162612 11/331319 |
Document ID | / |
Family ID | 38234030 |
Filed Date | 2007-07-12 |
United States Patent
Application |
20070162612 |
Kind Code |
A1 |
Paggen; Christophe |
July 12, 2007 |
Method and system for the automatic reroute of data over a local
area network
Abstract
A method and system for rerouting data over a local area network
is provided. The method comprises defining at least one port group
associated with a bridging device, each port group including
interfaces linked to the bridging device. A plurality of statuses
for each port group is defined, the status being dependent on the
individual statuses of the interfaces linked to the bridging
device. At least one target port associated with each port group,
each target port relating to a path for data. The method further
comprises defining an action for each status of a port group and
monitoring the status of the interfaces forming part of each port
group. In response to determining the status of a port group,
triggering the predefined action associated with the port group
status at one of the port group's target ports.
Inventors: |
Paggen; Christophe; (Neupre,
BE) |
Correspondence
Address: |
SCHWEGMAN, LUNDBERG, WOESSNER & KLUTH, P.A.
P.O. BOX 2938
MINNEAPOLIS
MN
55402
US
|
Assignee: |
Cisco Technology, Inc.
|
Family ID: |
38234030 |
Appl. No.: |
11/331319 |
Filed: |
January 12, 2006 |
Current U.S.
Class: |
709/238 |
Current CPC
Class: |
H04L 12/4625 20130101;
H04L 12/4641 20130101 |
Class at
Publication: |
709/238 |
International
Class: |
G06F 15/173 20060101
G06F015/173 |
Claims
1. A method of rerouting data over a local area network, the method
comprising: defining at least one port group associated with a
bridging device, each port group including interfaces linked to the
bridging device; defining a plurality of statuses for each port
group, the status being dependent on the individual statuses of the
interfaces linked to the bridging device and including an
associated predefined action; defining at least one target port
associated with each port group, each target port relating to a
path for data; monitoring the status of the interfaces associated
with each port group; determining the status of each port group
based on the monitored status of the interfaces; and in response to
determining the status of a port group, triggering the predefined
action associated with the port group status at one of the port
group's target ports.
2. The method of claim 1, in which monitoring the status of the
interfaces comprises monitoring when a pre-selected number of ports
in a port group go down, and triggering the predefined action in
response to the monitoring.
3. The method of claim 1, wherein the predefined action bridges two
Local Area Network (LAN) segments.
4. The method of claim 3, in which bridging the two LAN segments
comprises dynamically changing a VLAN membership of at least one
associated target port to a selected VLAN membership to by-pass the
bridging device.
5. The method of claim 1, comprising storing the defined port
groups, interfaces associated with the port groups, the at least
one target ports associated with each port group and the action for
each status of a port group in a memory.
6. The method of claim 5, comprising accessing the memory to
determine the status of each port group and to obtain the
predefined action associated with the port group status.
7. The method of claim 1, wherein the plurality of statuses for
each port group is dependent on the status of the bridging
device.
8. The method of claim 7, comprising monitoring the status of the
bridging device, and determining the status of each port group
based on the monitored status of the bridging device and
interfaces.
9. The method of claim 1, wherein the predefined action is selected
from at least one of rerouting data, activating a backup device,
and sending an error message.
10. A machine-readable medium comprising instructions to reroute
data over a local area network, the instructions when executed by a
machine cause the machine to: define at least one port group
associated with a bridging device, each port group including
interfaces linked to the bridging device; define a plurality of
statuses for each port group, the status being dependent on the
individual statuses of the interfaces linked to the bridging device
and including an associated predefined action; define at least one
target port associated with each port group, each target port
relating to a path for data; monitor the status of the interfaces
associated with each port group; determine the status of each port
group based on the monitored status of the interfaces; and in
response to determining the status of a port group, trigger the
predefined action associated with the port group status at one of
the port group's target ports.
11. A system for rerouting data over a local area network, the
system comprising: a port configuration module to: define at least
one port group associated with a bridging device, each port group
including interfaces linked to the bridging device; define a
plurality of statuses for each port group, the status being
dependent on the individual statuses of the interfaces linked to
the bridging device and including an associated predefined action;
define at least one target port associated with each port group,
each target port relating to a path for data; a detection module
to: monitor the status of the interfaces associated with each port
group; a processor to: determine the status of each port group
based on the monitored status of the interfaces, and trigger, in
response to determining the status of a port group, the predefined
action associated with the port group status at one of the port
group's target ports.
12. The system of claim 11, in which the detection module is
configured to monitor when a pre-selected number of ports in a port
group go down, and the processor is configured to trigger the
predefined action in response to the pre-selected number of ports
going down.
13. The system of claim 11, wherein the predefined action is to
bridge two Local Area Network (LAN) segments.
14. The system of claim 13, in which bridging the two LAN segments
is configured to dynamically change a VLAN membership of at least
one associated target port to a selected VLAN membership to by-pass
the bridging device.
15. The system of claim 14, further comprising a memory to store
the defined port groups, interfaces associated with the port
groups, the at least one target ports associated with each port
group and the action for each status of a port group in a
memory.
16. The system of claim 15, wherein the processor is configured to
access the memory to determine the status of each port group from
the monitored statuses of the interfaces and to obtain the
predefined action associated with the port group status.
17. The system of claim 11, wherein the statuses for each port
group is further dependent on the status of the bridging
device.
18. The system of claim 17, wherein the detection module is
configured to monitor the status of the bridging device, and the
processor is configured to determine the status of each port group
based on the monitored status of the bridging device and
interfaces.
19. A system for rerouting data over a local area network, the
system comprising: means for: defining at least one port group
associated with a bridging device, each port group including
interfaces linked to the bridging device; defining a plurality of
statuses for each port group, the status being dependent on the
individual statuses of the interfaces linked to the bridging device
and including an associated predefined action; defining at least
one target port associated with each port group, each target port
relating to a path for data; means for: monitoring the status of
the interfaces associated with each port group; means for:
determining the status of each port group based on the monitored
status of the interfaces, and triggering, in response to
determining the status of a port group, the predefined action
associated with the port group status at one of the port group's
target ports.
20. The system of claim 19, wherein the predefined action is to
bridge two Local Area Network (LAN) segments.
Description
TECHNICAL FIELD
[0001] The present application relates to the field of
automatically rerouting data within a local area network. In an
example embodiment, the application relates to rerouting data in
the event that a link to an inline bridging device or the bridging
device itself fails.
BACKGROUND
[0002] Various network appliances, such as intrusion prevention
systems (IPS), network monitor probes, anti-virus and e-mail
filters, exist to fulfill specialized requirements within a local
area network (LAN). Typically, these appliances are attached to
existing networking infrastructure equipment, such as LAN switches,
to bridge certain segments of a network, thereby to provide the
specialized requirements. The network appliances may be either
internal or external devices and typically function as inline
devices.
[0003] For example, an IPS device may be used to bridge two LAN
segments together and exercise access control to protect computers
within a segment of the LAN. Malicious and legitimate traffic both
attempt to gain access to the internal virtual LAN (VLAN) segment
of a network and, to do so, traffic enters a LAN switch which forms
part of an external VLAN. The IPS device, which is an external
inline device, bridges the external and internal VLANs together and
thereby forms the only path between the external VLAN and the
internal corporate VLAN. Before passing any traffic on to the
internal VLAN, the IPS device weeds out undesirable traffic (e.g.,
malicious traffic), but allows legitimate traffic through.
[0004] In the event that connectivity to the IPS device fails, for
example, when one of the interfaces that links to the IPS device to
form the bridge fails, or when the IPS device itself fails, the
traffic flow to the internal corporate VLAN, whether legitimate or
malicious, is disrupted. Without a sustained flow of traffic, the
corporate network environment may be critically impacted.
BRIEF DESCRIPTION OF THE DRAWINGS
[0005] Embodiments are illustrated by way of example and not
limitation in the figures of the accompanying drawings, in which
like references indicate similar elements and in which:
[0006] FIG. 1 is a high level schematic diagram depicting a typical
implementation of a system for the automatic rerouting of data over
a local area network in accordance with an example embodiment;
[0007] FIG. 2 is a block diagram illustrating a system for the
automatic rerouting of data over a local area network in accordance
with an example embodiment;
[0008] FIG. 3 is the high level schematic diagram of FIG. 1,
showing an inactive interface to a bridging device;
[0009] FIG. 4 shows the high level schematic diagram of FIG. 3, in
which rerouting of the data is effected by bypassing the bridging
device through a LAN switch;
[0010] FIG. 5 shows a high level schematic diagram of a generic
example embodiment of an implementation of a system for
automatically rerouting data in accordance with an example
embodiment;
[0011] FIG. 6 is a simplified flow diagram illustrating a method of
automatically rerouting data over a local area network in
accordance with an example embodiment; and
[0012] FIG. 7 is a block diagram showing a machine for performing
any one of the exemplary methods described herein.
DETAILED DESCRIPTION
[0013] The present application relates to a system and method for
the automatic rerouting of data over a local area network
(LAN).
[0014] FIG. 1 shows an example embodiment of an implementation of a
system 10 for the automatic rerouting of data. The system 10 is
typically used with internal or external inline bridging devices.
As described by way of example, bridging devices may be network
appliances that are attached to existing networking infrastructure
equipment, such as LAN switches, to bridge certain segments of a
network, thereby to provide specialized requirements to the
network. Examples of bridging devices include intrusion prevention
system (IPS) devices, network monitor probes, anti-virus and e-mail
filters and Layer-7 load balancers.
[0015] In the example embodiment of FIG. 1, the inline bridging
device is shown to be an IPS device 12 that bridges an external LAN
segment that is part of a virtual LAN (VLAN) 14 with an internal
LAN segment, VLAN 16, on which a corporate client network 18
resides. The external LAN segment or VLAN 14 represents clients
beyond the control of the corporate network, e.g. hosts on the
Internet 20. Both malicious and legitimate traffic attempt to gain
access to the internal corporate network VLAN 16, by entering a LAN
switch 22 via an interface that forms part of VLAN 14.
[0016] The IPS device 12 bridges VLAN 14 and VLAN 16 together, via
the LAN switch 22, thereby creating the only possible path for
traffic to enter the internal corporate network. The IPS device 12
is linked to the LAN switch 22 via Interface A 24 and Interface B
26. Due to this configuration, the IPS device 12 is able to weed
out undesirable and malicious traffic and to let legitimate traffic
through to the internal corporate network 18 on VLAN 16.
[0017] In this example embodiment, the rerouting system 10 forms
part of the LAN switch 22. As will be described in more detail
below, the rerouting system 10 monitors Interface A and Interface B
thereby to determine the status of a port group.
[0018] Turning to FIG. 2, the rerouting system 10 is shown to
include a port configuration module 40, a detection module 42, a
processor 44 and a memory 46.
[0019] The port configuration module 40 is used by an administrator
or user of the internal corporate network to set up parameters for
the rerouting system 10 in accordance with the specific
requirements for the implementation of the rerouting system 10. In
particular, the port configuration module 40 is used to define at
least one port group associated with the IPS device 12, where each
port group includes a number of interfaces linked to the IPS device
12. The port configuration module 40 is also used to define a
plurality of statuses for each port group, the statuses typically
being an active status or an inactive status. The status for each
port group will be dependent on the individual statuses of the
interfaces linked to the IPS device 12. However, the status may
also be dependent on the status of the IPS device 12. The port
configuration module 40 is further used to define at least one
target port associated with each port group, with each target port
relating to a path or destination for data or traffic that is being
bridged by the IPS device 12. An action for each status of a port
group is also defined by using the port configuration module
40.
[0020] The detection module 42 monitors and detects the status of
the interfaces of each port group. The detection module 42 may
further monitor and detect the status of the IPS device 12. The
detection module 42 may operate by either sending or receiving
signals to the respective interface or IPS device 12 in order to
establish whether the interface or device is active or inactive. In
an example embodiment, IEEE standard 802.3 and its extension 802.3z
define protocols and mechanisms such as Far-End Fault-Indication
(FEFI) and Gigabit-Ethernet Auto-negotiation are used to detect
whether a given physical link is able to receive and transmit data.
The detection module 42 can process FEFI and/or Gigabit-Ethernet
Auto-negotiation messages and place the physical port into a
non-operational state if need be.
[0021] The processor 44 determines, in response to detecting the
status of the interfaces of each port group and the bridging
device, a status for each port group in accordance with the
predefined status of each port group. In response to determining an
inactive status for a port group, the processor triggers a
predefined action associated with the port group status at one of
the port group's target ports.
[0022] The memory 46 is used to store data and information relating
to the defined port groups, interfaces associated with the port
groups, the at least one target ports associated with each port
group and the action for each status of a port group.
[0023] For example, for the system of FIG. 1, a port group 1 may be
defined by a user, with Interface A 24 and Interface B 26 both
being included as interfaces in port group 1 linking to the IPS
device 12. The active and inactive statuses for port group 1 is
shown in the Table 1 below, where "0" indicates an inactive status
for an interface or bridging device (IPS device 12) and "1"
indicates an active status for an interface or bridging device (IPS
device 12): TABLE-US-00001 TABLE 1 Status Table for Port Group 1
STATUS PORT GROUP 1 1 0 0 0 0 0 0 0 Interface A 1 0 1 1 1 0 0 0
Interface B 1 1 0 1 0 1 0 0 IPS device 1 1 1 0 0 0 1 0
[0024] As shown in Table 1, whenever any of the interfaces or the
IPS device 12 is inactive, typically due to a failure, the status
of port group 1 becomes inactive. One such a scenario is shown in
FIG. 3, where Interface A 24 is down or inactive. Traffic enters
the LAN switch 22 but cannot be bridged via the IPS device 12 to
VLAN 16. The detection module 42 of the rerouting system 10
monitors and detects the inactive status of Interface A and the
processor 44, using the status table for port group 1, determines
an inactive status for Port Group 1. Without the rerouting system
10, the transfer of data or traffic to the internal corporate
network 18 would have been disrupted.
[0025] In this example embodiment, only one target port is defined
for port group 1, namely interface VLAN 16 which links the LAN
switch 22 with the internal corporate network 18. Whenever an
inactive status is determined by the processor 44, the processor 44
triggers a predefined action to the target port.
[0026] In this example embodiment, the predefined action, as shown
in FIG. 4, is to modify the VLAN membership of the target port from
VLAN 16 to VLAN 14. In doing so, a Layer-2 bridged path between the
external network 20 and the internal corporate network 18 is
created. By placing the internal port onto the same VLAN as the
external port, connectivity between the external network 20 and the
internal corporate network 18 is restored, although traffic is no
longer being filtered by the IPS device 12. However, in this
example embodiment, at least some level of service is provided.
[0027] FIG. 5 shows a generic example embodiment of an
implementation of a system for rerouting data according to the
present application. This implementation will be described by way
of example according to the flow diagram as shown in FIG. 6.
[0028] A VLAN segment 80 of an external network 82 is bridged via a
LAN switch 84 to Port A 86, Port B 88, Port C 90 and backup Port D
92, by inline bridging device 94. VLAN segment 80 is linked to the
bridging device 94 by Interface 1 96 and Interface 2 98, while the
bridging device 94 is linked to Port A 86, Port B 88, Port C 90 and
backup Port D 92, via LAN switch 84, by the Interface 3 100 and the
Interface 4 102. The LAN switch 84 is also connected to backup a
LAN switch 104 via an Interface 5 106 and an Interface 6 108. The
rerouting system 110 of this example embodiment also forms part of
the LAN switch 84.
[0029] As shown in operation 120 of FIG. 6, the port configuration
module 40 of the rerouting system 110 is used to define at least
one port group associated with the bridging device 94. Each port
group includes a number of interfaces linked to the bridging device
94. In this example embodiment, the following port groups with
their associated interfaces are defined:
[0030] Port Group 1: Interface 1, Interface 2, Interface 3 and
Interface 4;
[0031] Port Group 2: Interface 1 and Interface 3
[0032] Port Group 3: Interface 2 and Interface 4
[0033] In operation 122, the port configuration module 40 is used
to define a plurality of statuses for each port group. For example,
as Port Group 1 includes a variety of interfaces, the status of
Port Group 1 may include the following: active--two interfaces on,
active--one interface on, inactive--input interfaces down,
inactive--output interfaces down and inactive--bridging device
failure. Table 2 shows the different statuses for Port Group 1,
where "0" is an inactive status, "01" is inactive--input interfaces
down, "10" is inactive--output interfaces down, "1" is an active,
one interface on and "2" is an active, two interfaces on.
TABLE-US-00002 TABLE 2 Status Table for Port Group 1, 4 interfaces
STATUS PORT GROUP 1 2 1 1 1 1 1 1 1 1 01 10 0 0 0 0 0 0 Interface 1
1 0 1 1 1 0 1 1 0 1 0 1 0 0 0 0 1/0 Interface 2 1 1 0 1 1 1 0 0 1 1
0 0 1 0 0 0 1/0 Interface 3 1 1 1 0 1 0 1 0 1 0 1 0 0 1 0 0 1/0
Interface 4 1 1 1 1 0 1 0 1 0 0 1 0 0 0 1 0 1/0 Bridging device 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 0
[0034] Both Port Group 2 and 3 are respectively inactive as soon as
either interface or the bridging device 94 is inactive. Table 3,
which is similar to Table 1 shows this configuration:
TABLE-US-00003 TABLE 3 Status Table for Port Group 2 and 3 STATUS 1
0 0 0 0 0 0 0 PORT GROUP 2 Interface 1 1 0 1 1 1 0 0 0 Interface 3
1 1 0 1 0 1 0 0 Bridging device 1 1 1 0 0 0 1 0 PORT GROUP 3
Interface 2 1 0 1 1 1 0 0 0 Interface 4 1 1 0 1 0 1 0 0 Bridging
device 1 1 1 0 0 0 1 0
[0035] The port configuration module 40 is also used to define at
least one target port for each port group, as shown in operation
124. Each target port is typically related to a path or destination
for data or traffic that is being bridged by the bridging device
94.
[0036] In the example embodiment, Port Group 1 has Port A 86 and
Port B 88 as target ports. Port Group 2 has Port B 88 and backup
LAN switch 104 as target ports, while Port Group 3 has Port C 90
and backup Port D 92 as target ports.
[0037] In operation 126, the port configuration module 40 defines
an action associated with each status of a port group. For example,
for the system of FIG. 5, the following actions may be associated
with the following statuses of Port Group 1: TABLE-US-00004 TABLE 4
Action Table for Port Group 1 PORT GROUP 1 STATUS PREDEFINED ACTION
Inactive VLAN membership of Port A and Port B will dynamically be
adjusted to VLAN segment 80 Inactive - Input Interfaces VLAN
membership of Port A and Port B Down will dynamically be adjusted
to VLAN segment 80, send Input Interface Down alert Inactive -
Output VLAN membership of Port A and Port B Interfaces Down will
dynamically be adjusted to VLAN segment 80, send Output Interface
Down alert Active, One Interface On No transmission of data to Port
B, traffic directed to Port A Active, Two Interfaces On No
action
[0038] For Port Group 2, the inactive status action is to use the
Interface 5 106 and the Interface 6 108 to link to backup LAN
switch 104, while the inactive status action for Port Group 3 is to
activate and reroute traffic to backup Port D 92. It will be
appreciated a type of tag and template approach is provided in some
example embodiments. For example, a tag action list may be
associated with a port.
[0039] It will be appreciated that the predetermined actions may
include rerouting data, activating back-up device or sending an
error or alert message. In an example embodiment, the status of the
interfaces is monitored to determine when a pre-selected number of
ports in a port group go down, and a predefined action is triggered
in response to the monitoring. As mentioned above, the predefined
action may bridge two Local Area Network (LAN) segments, for
example, bridge the two LAN segments by dynamically changing a VLAN
membership of associated target ports to a selected VLAN
membership. Thus, the bridging device may be by-passed under
software control.
[0040] The method of the example embodiment typically also
includes, as shown in operation 128, storing the defined port
groups, interfaces associated with the port groups, the at least
one target port associated with each port group and the action for
each status of a port group in the memory.
[0041] As shown in operation 130, the detection module 42 of the
rerouting system 10 monitors and detects the status of the various
interfaces associated with each port group. The bridging device may
also be monitored to detect any change in its status.
[0042] The processor 44 of the rerouting system now determines,
shown in operation 132, after detecting the status of the
interfaces and/or bridging device associated with each port group,
the status of each port group by accessing the predefined
relationship between the status of the port group and the status of
the interfaces and/or bridging device. The predefined status for
each port group will typically comprise tables similar to the
examples provided above.
[0043] In response to determining a status for a port group, as
shown in operation 132, the processor triggers a predefined action
(operation 134, 136 and 138) associated with the status at one of
the target ports of the port group, which action is obtained from
the memory.
[0044] For example, for the system of FIG. 5, once an inactive
status is detected for Port Group 1, the VLAN membership of Port A
86 and Port B 88 will dynamically be adjusted to VLAN segment 80.
Should an Active, One Interface On status be determined, the action
that is triggered is to stop transmitting data to Port B 88, but
only to transmit data to Port A 86.
[0045] In the event that an inactive status is determined for Port
Group 2, LAN switch 84 uses Interface 5 106 and Interface 6 108 to
link to backup LAN switch 104, thereby to reroute traffic or data
to this LAN switch. In the event that an inactive status is
determined for Port Group 3, the rerouting system activates backup
Port D 92, thereby rerouting all data to Port D 92.
[0046] It would be appreciated that various port groups, statuses
for port groups, target ports associated with a port group and
actions associated with each status of a port group may be defined
by a user and that these features would typically depend on the
application and bridging device used. This predefined data is
stored in the memory 46 of the rerouting system 10.
[0047] FIG. 7 shows a diagrammatic representation of machine in the
exemplary form of a computer system 300 within which a set of
instructions, for causing the machine to perform any one or more of
the methodologies discussed herein, may be executed. In alternative
embodiments, the machine operates as a standalone device or may be
connected (e.g., networked) to other machines. In a networked
deployment, the machine may operate in the capacity of a server or
a client machine in server-client network environment, or as a peer
machine in a peer-to-peer (or distributed) network environment. The
machine may be a personal computer (PC), a tablet PC, a set-top box
(STB), a Personal Digital Assistant (PDA), a cellular telephone, a
web appliance, a network router, switch or bridge, or any machine
capable of executing a set of instructions (sequential or
otherwise) that specify actions to be taken by that machine.
Further, while only a single machine is illustrated, the term
"machine" shall also be taken to include any collection of machines
that individually or jointly execute a set (or multiple sets) of
instructions to perform any one or more of the methodologies
discussed herein.
[0048] The exemplary computer system 300 includes a processor 302
(e.g., a central processing unit (CPU), a graphics processing unit
(GPU) or both), a main memory 304 and a static memory 306, which
communicate with each other via a bus 308. The computer system 300
may further include a video display unit 310 (e.g., a liquid
crystal display (LCD) or a cathode ray tube (CRT)). The computer
system 300 also includes an alphanumeric input device 312 (e.g., a
keyboard), a user interface (UI) navigation device 314 (e.g., a
mouse), a disk drive unit 316, a signal generation device 318
(e.g., a speaker) and a network interface device 320.
[0049] The disk drive unit 316 includes a machine-readable medium
on which is stored one or more sets of instructions and data
structures (e.g., software 324) embodying or utilized by any one or
more of the methodologies or functions described herein. The
software 324 may also reside, completely or at least partially,
within the main memory 304 and/or within the processor 302 during
execution thereof by the computer system 300, the main memory 304
and the processor 302 also constituting machine-readable media.
[0050] The software 324 may further be transmitted or received over
a network 326 via the network interface device 320 utilizing any
one of a number of well-known transfer protocols (e.g., HTTP).
[0051] While the machine-readable medium 322 is shown in an
exemplary embodiment to be a single medium, the term
"machine-readable medium" should be taken to include a single
medium or multiple media (e.g., a centralized or distributed
database, and/or associated caches and servers) that store the one
or more sets of instructions. The term "machine-readable medium"
shall also be taken to include any medium that is capable of
storing, encoding or carrying a set of instructions for execution
by the machine and that cause the machine to perform any one or
more of the methodologies of the present invention, or that is
capable of storing, encoding or carrying data structures utilized
by or associated with such a set of instructions. The term
"machine-readable medium" shall accordingly be taken to include,
but not be limited to, solid-state memories, optical and magnetic
media, and carrier wave signals.
[0052] Although an embodiment of the present invention has been
described with reference to specific exemplary embodiments, it will
be evident that various modifications and changes may be made to
these embodiments without departing from the broader spirit and
scope of the invention. Accordingly, the specification and drawings
are to be regarded in an illustrative rather than a restrictive
sense.
* * * * *